Ohio Gov. John Kasich doesn't seem to understand the digital security process that protects pretty much everything you do online. During the Republican debate last night, he warned about the dangers of encryption while making a pretty basic mistake about how it works.
Encryption protects information by using complex math to scramble it up so that only the people who are supposed to unlock it can actually do that. You rely on it all the time without even realizing it when checking your email or shopping online because it's often baked into your Web experience.
(If you want to know more, we have a big explainer that can help you understand it better!)
But Kasich's description of the kind of information lost to investigators when encryption is used by bad guys missed the mark:
[T]here is a big problem. It's called encryption. And the people in San Bernardino were communicating with people who the FBI had been watching. But because their phone was encrypted, because the intelligence officials could not see who they were talking to, it was lost.
One, it remains unclear whether the attackers in that city in California relied on those strongly encrypted methods to plot the attacks.
It's true, however, that some law enforcement officials have warned that criminals or terrorists are "going dark" because of the spread of some forms of encryption. There are stronger forms of encryption in which companies don't hold on to the keys to unlock data.
But Kasich's claim that investigators "could not see who they were talking to" is wrong, according to experts.
"Encryption can be very successful at hiding the content of communications, but it does basically nothing to hide who you are talking to," said Matt Blaze, a leading cryptographer and professor at the University of Pennsylvania. Things like the numbers someone is calling or texting, or what addresses they are emailing, are forms of "metadata" and are still available to investigators by going through service providers.
Kasich isn't the first person to make this mistake — in fact, President Obama made a similar error earlier this year. But Blaze says it's "very concerning" to see the same sort of misinformation continue to show up even as concerns about strong forms of encryption have become a big part of the national security debate.
Part of the problem, he says, is that the issue is much more technical than the rhetoric used by politicians would suggest. "To a large extent, I think encryption has become policy shorthand for all of the different ways that surveillance tech hasn't kept up with excommunications tech, and, in fact, encryption itself is a relatively small piece of that," Blaze said.
During the debate, Kasich said the issue isn't "easy" but called it a "major problem" that Congress and the president have to deal with to "keep us safe." However, experts on the technology say finding ways to penetrate strong forms of encryption is actually a big national security risk on its own.
A paper released by a cadre of respected encryption experts earlier this year warned that plans for such "exceptional access" would "be likely to introduce unanticipated, hard to detect security flaws" that could be targeted by hackers — as well as raise international legal questions when other countries start asking tech companies that operate globally for the same sort of access.
When the Obama administration weighed the issue earlier this year, its own technical experts couldn't find a way to provide law enforcement access to strongly encrypted information in which the benefits outweighed the risks, according to an internal document obtained by The Washington Post earlier this year.
Oddly, Kasich himself has made similar points in the past: “The minute you begin to solve the encryption problem by [allowing] our security officials in the building to get in the backdoor, it opens the possibility for criminals to be able to use that same backdoor, those who want to harm us to use that same backdoor to exploit access to that encrypted technology,” he said at a Council on Foreign Relations event earlier this month. But even then, Kasich argued that encryption is a problem that could be "fixed."